This is a first look at the changes in the v0.7 draft of the CMMC that was released today. We are also hosting a copy here as well. The sha1 checksum of both versions should match: 2170d92d043be87a7f646c2aaf426cfc89a8453
- First, three appendices have been added.
- APPENDIX C. CMMC LEVEL 2 DISCUSSION AND CLARIFICATION
- APPENDIX D. CMMC LEVEL 3 DISCUSSION AND CLARIFICATION (EXCLUDING NIST 800-171 PRACTICES)
- APPENDIX E. CMMC MATURITY PROCESS DISCUSSION AND CLARIFICATION
- The new version changed “committed to working with the Defense Industrial Base (DIB)” in the introduction to “is working with the Defense Industrial Base (DIB)” to reflect actively working with DIB instead of merely a commitment to working with DIB.
- The following sentence was added in the introduction: “With respect to implementation, a DIB contractor may meet a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s).” This seems to be a clarification or even concession, but the clarification in the appendices for at least Access Control (AC) P1001 still just refers to the “company network”.
- The following sentence was added in Section 2.1.3 for Level 3: “Note that organizations subject to DFARS clause 252.204-7012 will have to meet additional requirements such as incident reporting.” This is an interesting caveat that may very well cause some confusion.
- In v0.6 section 2.1.4 addressed both Level 4 and Level 5. In v0.7 this has been split and section 2.1.4 addresses Level 4 and 2.1.5 addresses Level 5. This is a minor change.
- In the CMMC PROCCESS MATURITY table, ML-4 #2 has changed from “Inform high-level management of any issues with [DOMAIN NAME] activities” to “Review the status and results of [DOMAIN NAME] activities with higher level management and resolve issues.” In practice, this is a fairly significant change to the level of involvement from higher level management, as well as the requirement to resolve issues within each domain.
- In Section 3 – READING THE MODEL, clarification was added around the fact that the practices and capabilities build cumulatively on lower levels. The Level 4 and 5 detail was also added to the Example Model Capability with Practices from the AC Domain. This is more of a minor cosmetic change related to the incorporation of Level 4 & 5 within the new version.
- A legal disclaimer to the top of the modeling table.
- In the AC domain, P1012 and P1014 were moved from Level 2 to Level 3.
- In the SCP domain, P1177 was also moved from Level 2 to Level 3.
We have not time to review the Level 4 and 5 practices and capabilities, but did notice that 15.3 (Use a Wireless Intrusion Detection System) from the CIS Controls v7.1 was placed in Level 5. This control states to “Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless access points connected to the network.” That would seem like something that really would be done if complying with 800-171. Stay tuned as we dig further into this.